Although two-factor authentication is an important tool in protecting your online accounts, it's not a panacea. A single weak link in the chain can give an attacker a way into a system. In 2014, a weakness was identified in the Signaling System 7 (SS7) protocol which is the method that different wireless and landline providers communicate between each other. This weakness was an impetus for NIST recently releasing guidance that SMS messages will soon no longer be an acceptable form of two-factor authentication, as noted in SP 800-63b.
Now, there's a real world example of why SMS is not a secure method for delivery: O2-Telefonica in Germany has announced that some of their customers have had their bank accounts hijacked by unknown attackers. The attack started with a standard phishing attack in order to gather usernames, passwords, phone numbers, and bank account information from the victims.
Next, attackers worked with a rogue telephony company so that when the SMS message was sent out, it was delivered to phones owned by the attackers instead of the intended recipient. That may sound difficult, but according to the article, it's really simple to set up a fake telco or buy temporary access to one, and with the flaw in SS7, it's trivial to route SMS messages away from the intended recipient and to a phone of your choosing. With this information, the attackers were then able to withdraw funds, thus robbing a bank without stepping away from the keyboard.
While this proves that SMS isn't a great method for two-factor authentication, it's still better than a simple username and password combination as it forces the attackers to do more work. However, it's not as secure as tools like Google/Microsoft Authenticator or physical OTP tokens. It's also important to remember that no matter how secure you make something, the bad guys will always try to find a new way in.
Source: The Register | Image via Shutterstock
2 Comments - Add comment